P0wned by Russian malware spam?

1 post / 0 new
#1 Mon, 09/02/2019 - 18:05
oneearth

P0wned by Russian malware spam?

I was going through my Centos 7 vps maillog (vps1) and saw this entry coming from(???) another of my vps (vps1) (:

Sep  2 22:02:35 server postfix/smtpd[6362]: connect from server.myvps2.com[valid.ip_of.my.vps2]
Sep  2 22:02:35 server postgrey[187]: action=pass, reason=client AWL, client_name=server.myvps2.com, client_address=valid.ip_of.my.vps2, sender=existing_user@server.myvps2.com, recipient=valid_email@one_of_the_domains_on_this_vps1.com
Sep  2 22:02:35 server postfix/smtpd[6362]: 4A9A33B00230: client=server.myvps2.com[valid.ip_of.my.vps2]
Sep  2 22:02:35 server postfix/cleanup[7734]: 4A9A33B00230: message-id=<e11efc48bc6c10c01823393cdfc68c13@existing_domain_on_my_vps2.com>
Sep  2 22:02:35 server opendkim[742]: 4A9A33B00230: server.myvps2.com[valid.ip_of.my.vps2] not internal
Sep  2 22:02:35 server opendkim[742]: 4A9A33B00230: not authenticated
Sep  2 22:02:35 server opendkim[742]: 4A9A33B00230: no signing domain match for 'rambler.ru'
Sep  2 22:02:35 server opendkim[742]: 4A9A33B00230: no signing subdomain match for 'rambler.ru'
Sep  2 22:02:37 server opendkim[742]: 4A9A33B00230: key retrieval failed (s=2017, d=rambler.ru): '2017._domainkey.rambler.ru' record not found
Sep  2 22:02:37 server postfix/smtpd[6362]: disconnect from server.myvps2.com[valid.ip_of.my.vps2]
Sep  2 22:02:37 server postfix/qmgr[936]: 4A9A33B00230: from=<existing_user@server.myvps2.com>, size=35439, nrcpt=1 (queue active)

So then I checked the maillog on vps2 and found this entry:

Sep 2 22:02:40 server postfix/pickup[1322]: 810B120728: uid=501 from=<existing_user>
Sep 2 22:02:40 server postfix/cleanup[3057]: 810B120728: message-id=<e11efc48bc6c10c01823393cdfc68c13@one_of_the_domains_on_vps2.com>
Sep 2 22:02:40 server opendkim[570]: 810B120728: DKIM-Signature field added (s=2017, d=rambler.ru)
Sep 2 22:02:40 server postfix/qmgr[4422]: 810B120728: from=<existing_user@server.myvps2.com>, size=34615, nrcpt=1 (queue active)
Sep 2 22:02:41 server postfix/smtpd[1265]: warning: unknown[141.98.9.5]: SASL LOGIN authentication failed: authentication failure
Sep 2 22:02:42 server postfix/smtpd[1158]: warning: unknown[141.98.9.205]: SASL LOGIN authentication failed: authentication failure
Sep 2 22:02:42 server postfix/smtpd[1265]: disconnect from unknown[141.98.9.5]
Sep 2 22:02:43 server postfix/smtpd[1158]: disconnect from unknown[141.98.9.205]
Sep 2 22:02:43 server postfix/smtp[3060]: 810B120728: to=<valid_email@one_of_the_domains_on_that_vps2.com>, orig_to=<valid_user2@one_of_the_domains_on_this_vps2>, relay=mail.one_of_the_domains_on_that_vps1.com [valid.ip_of.my.vps1]:25, delay=2.7, delays=0.07/0.01/0.42/2.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4A9A33B00230)
Sep 2 22:02:43 server postfix/qmgr[4422]: 810B120728: removed

  Has some Russian email spammer gotten hold of the valid ip and hostname of my other vps and even found out one of the domains on that vps and is now sending out spam on my other vps?

Have I been p0wned and do I need to re-create my vps2?

Or did a Russian spammer crack the password to <valid_user2@one_of_the_domains_on_this_vps2> and sent out a test email using an email address (which happened to be one of my email addresses on vps1) that were in the mailbox? In which case, I can delete that email account and recreate it / or change the password.